Almost anyone who has grown up on Windows must have had the notion (that I had) of Linux being more secure than Windows- one of reasons being you don't have to worry about using an anti-virus on Linux!!

What is the basis of this notion? And to what degree is it true?

Has this got anything to do with the Open-source nature of Linux? Its community support? Its underlying architecture (and the difference from Windows)?

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

There are two completely different Windows series: the Windows 95 and the Windows NT. XP, Vista, Seven originate from Windows NT. The historical basis of Windows being inherently insecure may be that Windows 3 enforced no security boundaries at all (and didn't even tried).
– curiousguyJun 28 '12 at 12:17

Do you count IE has a Windows thing or as a normal program?
– curiousguyJun 28 '12 at 12:24

@curiousguy My doubt is more about the OSs, and not their programs.
– pnpJun 28 '12 at 13:26

"But my question is more from a layman's perspective of 'security' - viruses, malwares, et al" Then the vulnerabilities in the programs you are using, esp. web browser (but not only) matter a lot.
– curiousguyJun 28 '12 at 15:35

At least at the kernel level, you're seeing more CVE reports of remote execution exploits and privilege escalation in Windows, more local DoS attacks to a multi-user environment in Linux, also you'll find more critical CVEs on Windows (I had a bunch of statistical breakdowns from a CVE database but I can't find that post I made months ago, so frustrating! Google isn't helping me find it...).

As you can see Server 2008 has a much higher weighted average of CVE severity:

Of course you run with something like Ubuntu that comes with a bunch of software and pre-configuration on top of it, they're at the whim of the software running on it.

My opinion on the subject: Linux is built around a lot of Unix concepts, 40 years of software development and people beating these boxes to death, it is secure mainly by Unix's trial by fire, and this has helped immensely, lots of lessons were learned and directly applied to Linux.

Has this got anything to do with the Open-source nature of Linux?

A lot of it has to do with that, at least with the speed at which the higher volume of CVEs are addressed. This also allows a lot of smaller issues to be found and fixed (mainly due to it's popularity, because open-source with no popularity means few eyes on the code and little interest to fix).

Its underlying architecture (and the difference from Windows)?

Being built up around a multi-user environment helps a ton, these systems were built to have tons of people on them at once, and no one user should be able to interrupt another.

Smaller userbase in Linux makes desktop Linux a less attractive target. If only 0.1% of computers are running Ubuntu 10.04 and your trojan horse only works on that specific version of Linux, it will likely never catch. If your trojan horse only works on Windows XP, you still can attack ~25% of the market.

Often (not always) more knowledgable and more security conscious userbase. That said, OSes like Ubuntu have made Linux more accessible and you can find people doing dumb things on it.

Furthermore, somewhat debatable reasons you could argue that Linux often has a more secure design (that may not be so true any more as other OSes have played catchup).

Good privilege separation and access controls with su/sudo, that don't really exist in older versions of Windows.

Say you need some new software (image editor, LaTeX, or Python, etc) that doesn't come pre-installed in your OS. In Linux, 99% of the time you use your package manager to automatically download and install cryptographically signed software validated from a chain of trust. It will automatically use this for updates as well (so its easy to keep all software system-wide up to date, quickly patching security holes). In Windows, the majority of the time when I need to install something new, I have to search the web for it, download and install from some random http website that could load their software with spyware/bloatware/trojan horses or I could be subject to a MITM attack and download/install some virus instead, and each application has its own (different) installer/automatic updater. (That said I find people too trusting of PPAs, random scripts on the internet, or adding browser extensions as major security vulnerabilities of both Linux/Windows).

ssh. Your standard connection to another remote machine through ssh is very convenient and powerful, which is vastly superior to any windows remote authentication in terms of security. Whenever you connect to an ssh machine, you cryptographically check that the host key of the other machine hasn't changed from the previously used key; you can use your ssh private key to respond to a challenge token without letting eavesdroppers use replay attacks or keyloggers see your password. Then all traffic is sent encrypted between the two machines; furthermore its trivial to set up on a Linux box.

A variety of free Linux security tools: SELinux, AppArmor, wireshark, iptables (or a wrapper like ufw), ssh, cron, top (really htop), fail2ban, tripwire, GPG, OpenSSL, md5sum/sha256sum, etc. It's also very easy to setup scripts, scan a log file and email an alert, and do everything from the command line, etc. Granted most (all?) of these probably have Windows equivalents, but they tend to either not be free or change a lot between versions. Setting up a cronjob is basically to automate some task is pretty much the same as it was for the past 20 years; while setting up an automated task in Windows will have dramatic changes between OSes.

Not valid reasons:

Linus's law: "given enough eyeballs, all bugs are shallow" hence open-source being more secure than closed-source software. I don't find this argument particularly convincing as significant security holes have been found to have existed for months/years in open-source stuff (e.g., Debian OpenSSL). Its even worse as attackers can read the source, look for bugs (or even try to introduce disguised bugs into the codebase ). However, I don't believe that close-sourced software is intrinsically more secure either -- people still make mistakes and you can easily pay someone to introduce holes into a proprietary codebase (and with less eyeballs it may be impossible to notice); clearly security bugs and backdoors often do exist in close-sourced software and are attacked as well. (I consider this one more or less a tie.)

I suspect that the virus/malware situation on Linux is pretty much what would be "normal", and that the virus/malware situation on Windows is a statistical freak, more of a "Dragon King" than a Black Swan.

Windows has an unusually baroque set of APIs, Win32, NT native API, on and on and on, and there have been some problems between them, like Win32 being basically an ASCII interface while NT native is Unicode. This has at least facilitated malware. As an example of a Rococo detail, think about the magic device file names, AUX, CON, LP that work in any directory.

The Windows native API has never really been documented, and this lack of documentation flows though to other things, such as: what set of file name extensions is for executable files? Why does the file name determine whether a file is executable or not? Didn't the NIMDA worm spread via some problem with ".eml" files, as an example. Nobody knew that .eml files were executable at the time.

Windows has no tradition of separation of privileges, indeed it has a tradition of single, root-user. Lots of applications still assume this. Windows has no tradition of separation of data from executables. I give you Word macros embedded in the .doc file as an example of un-separated data and instructions that have historically caused virus problems.

Linux has at least traditions opposite to all the above points: mildly effective discretionary access controls, simple enough to be applied on a day-to-day basis, yet comprehensive enough to keep traditional file-type viruses at bay. The system call interface is only moderately complicated, and since source code is freely available, multiple sources of documentation exist. Executables typically live in "bin" directories, and data lives in another. Each executable has its own configuration file, rather than sharing the big ol' Registry. Data files live in per-user directories, and almost never contain the kind of all-powerful macros that Word, etc, data files contain.

Also, "linux" doesn't really exist as "Windows" does. Hundreds of distros exist, each customizing almost every aspect of low-level details. Different compiler versions, different linux kernels, some all-modular, some without modules. That's true of virtually every software aspect of a system, from the kernel, to email clients. Where "Windows" users by-and-large use Outlook email clients, Linux users use an array of hundreds of different clients, each in tens of versions. There's no user base for any given version of any given piece of software: the user base is not just fractured, it's shattered. This makes it a lot harder to find a vulnerability on a suitable number of hosts, or to write an exploit that would work on a large enough number of instances of software.

Linux tends to be used by more technically literate people (who will be skeptical about emails proclaiming 'I Love You')

Windows has greater market penetration.

Leaving aside the first point, it's debatable whether Linux is intrinsically more secure than MSWindows (IMHO it is, but that's a rather long and boring argument).

Given that MSWindows now has better privilege seperation than it used to, it's interesting to note that there is a particular distribution of Linux with strong market penetration, used by the proletariate, and which has a very unusual approach to privilege seperation - which is attracting a lot of malware development effort - Android.

While I wouldn't recommend not running an anti-virus and firewall on a MSWindows machine, by far the most important thing you can do to keep your computer clean is to configure it properly and keep up to date with vendor supplied patches.

I personally feel that this notion is due to the fact that Windows is far more widely used than linux. In addition, Linux is usually used in enterprise environments which should have better security than home systems and networks. This might contribute to the thinking that Linux is more secure than Windows.

Of course, both systems can be vulnerable if not configured properly and patched regularly. Both systems also has the potential to be secure if set up properly.

THis isn't a testable hypothesis: unless somehow we magically changed usage percentages around, nothing can convince us of the falsehood of that statement. Beyond that, we know that malware writers will target things like a specific firewall (see witth worm, en.wikipedia.org/wiki/Witty_%28computer_worm%29) with only about 12,000 installations globally. Why wouldn't some millions of linux machines attract malware?
– Bruce EdigerJun 28 '12 at 23:19

I have NEVER said linux is indeed more secure than windows. All my answer said is that Linux is perceived to be more secure than windows as it is more often used in Enterprise environments, which SHOULD have better security in general that windows, which is generally favoured in home environments.
– AyrxJun 29 '12 at 7:39